A system that includes a threat management server configured to store a device log identifying location information for endpoint devices that have passed authentication. The threat management server is configured to identify an endpoint device from the device log file and to identify a switch connected the endpoint device. The threat management server is further configured to send a location information request to the switch requesting location information for the endpoint device. The threat management server is configured to compare the received information to the information in the device log file. The threat management server is configured to block the endpoint device from accessing a communications network in response to determining the received location information does not match the information in the device log file.